Protecting the confidentiality and integrity of data, whilst maintaining the availability and accessibility of underlying systems, requires appropriate assessment and management of cybersecurity risks. Cybersecurity risks are events that could lead to unauthorised access, use, disclosure, disruption, modification or destruction of information, information technology, and/or operational technology. Cybersecurity risks should be considered as part of the broader business risk environment and align with the enterprise risk management strategy and practice of the agency. Agencies should also ensure that they are assessing and managing risks in their supply chain and for any other dependencies that exist.
Decision-making throughout the project lifecycle must be guided by risk management to identify mitigations and to avoid risks that are outside of the risk tolerance of the agency. Informed decision-making processes will help to manage the cybersecurity risk, although cybersecurity risk cannot be completely eliminated.
Agencies should also use a risk-based program to implement appropriate policy and technical controls (aligned to a recognised standard e.g. ISO 27001) to mitigate the risks identified. These programs should be implemented at the earliest stages of the procurement process and throughout the procurement and operational lifecycle of any ICT or OT system. Controls should be appropriately managed, governed and reviewed to ensure that they are performing as intended. Agencies must also identify other state and federal security obligations including the NSW Cyber Security Policy which contains mandatory requirements.
Developing a properly managed, risk-based approach to cyber security is vital for agencies to protect the data they are responsible for managing. This should extend to how and when data is shared with other agencies or with central data repositories, e.g. NSW Data Portal or NSW Spatial Digital Twin.
The protection of personal information is governed by the Privacy and Personal Information Protection Act 1998. Privacy by design and privacy impact assessments can help ensure privacy and innovation and provide a strong basis for data to be used anonymously.
Mapping the data flows of the infrastructure asset – who holds it and how they handle it at different stages of the asset lifecycle – can help identify any privacy risks inherent in the project and to implement privacy by design. It is important to monitor the creation, use and access to data to ensure appropriate and secure usage. Bolting on privacy protections at the end of the project is inadequate and may result in a security or privacy breach. For more information, refer to the NSW IoT Policy Privacy by Design guidance pp. 52-54.
Personal information is also subject to data and security breach reporting requirements. In NSW, the Information and Privacy Commission provides guidance to public sector agencies on data breaches and maintains a voluntary reporting scheme supported by policy and resources. Relevant requirements also include the Commonwealth mandatory Notifiable Data Breach Scheme (NDB) for entities covered by the Privacy Act 1998 and mandatory cyber incident reporting to Cyber Security NSW under the NSW Cyber Incident Response Plan, as required by the NSW Cyber Security Policy. There may be additional notification and reporting requirements relating to personal information as well as cyber security incidents.
The NSW Cyber Security Policy includes the mandatory requirements all NSW government departments and public service agencies must adhere to, in order to ensure cyber security risks to information and systems are appropriately managed. The mandatory requirements encompass not only the risk management and cyber resilience of systems but broader organisational requirements around planning, governance, awareness, reporting and incident response. The NSW Cyber Security Policy applies not only to information and ICT systems but also Operational Technologies (e.g. Industrial Control Systems (ICS)) and Internet of Things (IoT) Devices.
The NSW Information Classification, Labelling and Handling Guidelines set out the NSW Government’s approach to classifying, labelling and handling sensitive information. The classification of information created, owned and managed by the NSW Government is a mandatory requirement under the NSW Cyber Security Policy. The Guidelines are consistent with the Australian Government security classification system.
Last updated 15 Jul 2024